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(54) Key agreement method 1or secure communication system 



(57) For transmitting confidential data, two devices 
(D1 t D2) are linked through a transmission channel 
whjch is secured by symmetric encryption with a shared 
secret session key. Both devices (D1 , D2) possess the 
same secret session key (K) which is developed from 
two random keys (K1 , K2) each of which is generated 
in a different one of the devices. Both random keys are 
exchanged between the devices (D1, D2) using asym- 
metric encryption. 
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Description 

[0001] The present invention relates to a method of 
transmitting confidential data between two communica- 
tion devices and, in particular, to a method of secure 
communication between a chipcard and a conditional 
access module (CAM) in a pay TV environment. 
[0002] EF 0 720 326 A2 discloses a method of estab- 
lishing a secure communication channel between two 
similar stations. The communication procedure uses 
symmetric encryption/decryption one to avoid problems 
encountered with earlier systems where a distributed 
master key is used in conjunction with modifier elements 
such as a time stamp : a counter or the like, in the sym- 
metric procedure, a secret encryption key is known to 
both communication devices. This method only works 
with paired communication devices. 
[0003] In another method that is disclosed in WO 
97/38530, a secure communication between two devic- 
es such as a CAM and a chipcard is obtained by asym- 
metric encryption. One of the devices generates a ran- 
dom key which is encrypted with a public key and sent 
to the second device. The second device decrypts the 
encrypted key with a corresponding private key. Both 
devices use the random key for encryption and decryp- 
tion of data exchanged between the devices. This meth- 
od relies on a random value generated in only one of 
the devices. 

[0Q04] The present invention provides a secure meth- 
od of transmitting data between two communication de- 
vices which relies on a common secret based on two 
values each of which is generated by a different one of 
the devices, thereby avoiding possible replay attacks. 
According to the invention, the method of transmitting 
data between two communication devices includes the 
following steps: 

Step 1 ; a first random key is generated on ihe side 
of the first communication device. 

Step 2: a second random key is generated on the 
side of the second communication device. 

Step 3: the second random key is encrypted by 
means of a public key and transmitted to the first 
communication device. 

Step 4: on the side of the first communication de- 
vice, the transmitted second random key is decrypt- 
ed with a corresponding private key. 

Step 5: the first random key is encrypted on the side 
of the first communication device and transmitted 
to the second communication device. 

Step 6; the second communication device decrypts 
the transmitted first random key. 



Step 7: each communication device combines the 
random keys into a secret session key used for en- 
cryption and decryption of the data transmitted be- 
tween the devices. 

[0005] After step 7, both devices share a secret ses- 
sion key based on two random values generated inde- 
pendently of each other and in different devices, thereby 
excluding the possibility of a successful replay attack. 
[0006] A further improvement of the method is 
achieved by using a particular encryption key for encryp- 
tion of the first random key in steps 5 and 6: in addition 
to the second random key, a random number {a "chal- 
lenge") is generated on the side of the second commu- 
nication device, and this random number is likewise en- 
crypted with the public key and transferred to the first 
communication device. The first communication device 
decrypts the random number with its private key f and 
the first random key is encrypted with the decrypted ran- 
dom number prior to the transmission of the first random 
key to the second communication device, 
[0007] A preferred embodiment of the invention will 
now be disclosed with reference to the drawing. The sin- 
gle figure of the drawing illustrates essential steps of the 
preferred embodiment. 

[0008] With reference to the drawing, a first commu- 
nication device D1 is a Smart Card (SC) and a second 
communication device D2 is a conditionai access mod- 
ule (CAM) in a digital pay TV environment (DVB, for ex- 
ample), although the invention is not limited to applica- 
tion in such an environment. Both devices Dt and D2 
would exchange confidential data r such as entitlement 
management messages (EMMs), entitlement control 
messages (ECMs) and control words (CWs). To protect 
the confidential data from eavesdropping, a secure 
communication channel is established between the de- 
vices D1 , D2. 

[0009] The first device D1 owns a secret private key 
PrK and has a corresponding public key PuK. Device 
D1 also has a random number generator G1 . 
[0010] The second device D2 knows the public key 
PuK, which may have been received from device D1 in 
Ihe clear Device 02 also has a random number gener- 
ator, G2. 

[0011] Initially, both devices D1 T D2 do not share any 
secret. In order to provide a secret session key shared 
by the devices and used for encryption/decryption of da- 
ta exchanged between the devices, a protocol is pro- 
posed that is safe enough to avoid leakage of informa- 
tion, and powerful enough to exchange keys of a suffi- 
cient length. The protocol involves asymmetric cryptog- 
raphy for transmission both from D1 to D2 and from D2 
to D1. 

[0012] Random number generatorGI in device D1 in- 
ternally generates a first random number K1. Random 
number generator G2 in device D2 internally generates 
a second random number K2. D2 will also generate a 
further random value, a "challenge 0 CHLG, Random 
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numbers K1 and K2 are of a sufficient length to avoid 
crypio-analytic brute-force attack. 
[0013] Device D2 encrypts K2 and CHLG with public 
key PuK and sends the result to device D1 . Device D1 
will receive the result and decrypt it with its private key 
PrK. Device D1 now knows K2 and CHLG. Device D1 
concatenates K2 with its own random number K1 and 
encrypts the concatenated numbers with CHLG. The 
encrypted result is sent from D1 to D2, 
[0014] Device D2 now decrypts the received result to 
K1 and K2 using CHLG as the decryption key to retrieve 
K1 and K2. D2 checks for consistency of received K2 
with its own K2, If the correct K2 has been received, both 
devices D1 and D2 now share both random numbers K1 
and K2. 

[0015] Finally, both devices D1 and D2 will combine 
random keys K1 and K2 in the same manner to provide 
a secret session key K now owned by both devices. Ses- 
sion key K is used forsymmetric encryption and decryp- 
tion of confidential data exchanged between the devic- 
es. 

[0016] Another example for use of the invention is a 
conditional access module (CAM) as the first device D1 
and a decoder in a Set-Top-Box (STB) as the second 
device D2, Here, too, confidential data would be ex- 
changed using a session key for encryption/decryption 
that originates from two random numbers each gener- 
ated in a different one of the devices. 



Claims 

1. A method of transmitting confidential data between 
two communication devices, in which 

a} a first random key {K1) is generated on the 
side of the first communication device (D1); 
b} a second random key (K2) is generated on 
the side of the second communication device 
(D2); 

c) the second random key (K2) is encrypted by 
means of a public key (PuK) and transmitted 
from the second (D2) to the first (D1) commu- 
nication device; 

d) on the side of the first communication device 
(D1), the transmitted second random key (K2) 
is decrypted using a corresponding private key 
(PrK); 

e) the first random key (K1 ) is encrypted on the 
side of the first communication device (01) and 
transmitted to the second communication de- 
vice (D2); 

f) the first communication device (D1) decrypts 
the transmitted first random key (K1); and 

g} both communication devices (1 , 2) combine 
the random keys (K1 , K2) to a secret session 
key (K) used by each device (D1 r D2) for sym- 
metric encryption and decryption of the confi- 



dential data. 
2. The method according to claim 1 , in which 

5 h) in addition to the second random key (K2) : a 

random number (CHLG) is generated on the 
side of the second communication device (D2); 
i) the random number (CHLG) is likewise en- 
crypted by means of the public key (PuK) and 

io transferred to the first communication device 

(D1>; 

j) the random number (CHLG) is decrypted by 
the first communication device (01) using its 
private key (PrK); 
is k) the first random key (K1) is encrypted with 

the random number (CHLG) prior to being 
transmitted to the second communication de- 
vice (D2). 

20 3, The method according to claim 2 r in which 

I) the first communication device (D1) encrypts 
the second random key (K2) and transmits it to 
the second communication device (D2); 
25 m) the second communication device (D2) de- 

crypts the transmitted second random key (K2) 
and checks its integrity by comparison with the 
original second random number (K2)> 

30 4, The method according to claim 2, in which 

n) the first communication device (D1) decrypts 
the second random key (K2) using the random 
number (CHLG) and transmits it to the second 
35 communication device (D2); 

o) the second communication device (D2) de- 
crypts the transmitted second random key (K2) 
using the random number (CHLG) and checks 
its integrity by comparison with the original sec- 
ond random key (K2). 

5. The method according to any of the preceding 
claims, in which the session key (K) is developed 
so as to have the same length as each of the first 

4$ and second random keys (K1 . K2). 

6. The method according to any of the preceding 
claims, in which the first and second random keys 
(K1 , K2) are each produced by a respective random 

so number generator G1 , G2) of the first and second 
communication device (D1 , D2). 

7. The method according to any of the preceding 
claims, in which the first communication device (D1) 

55 is a smart card and the second communication de- 
vice (D2) is a conditional access module (CAM). 

8. The method according to any of claims 1 to 6, in 
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which the first communication device (D1) is a con- 
ditional access module (CAM) and the second com- 
munication device {D2) is a decoder in a Set-Top- 
Box (STB). 
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